-
Bug
-
Resolution: Other
-
P4
-
None
-
7u60
-
x86
-
os_x
FULL PRODUCT VERSION :
java version "1.7.0_65"
Java(TM) SE Runtime Environment (build 1.7.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Darwin bmbp.local 13.3.0 Darwin Kernel Version 13.3.0: Tue Jun 3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64
(all)
A DESCRIPTION OF THE PROBLEM :
In ClientHandshaker.serverHello when it checks for the RenegotiationInfoExtension, if the extension is not found it should invalidate the ssl session so that it is not rejoinable and is not cached in serverFinished.
If invalidating the session is too heavy handed, it should keep track of the fact that the RenegotiationInfoExtension was not found and check that boolean before caching the SSL session.
// check the "renegotiation_info" extension
RenegotiationInfoExtension serverHelloRI = (RenegotiationInfoExtension)
mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
if (serverHelloRI != null) { ...}
else {
/// should invalidate session here
}
...
private void serverFinished(Finished mesg) throws IOException {
...
if (session.isRejoinable()) {
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
You need to force it to not reuse any cached sessions by building new SSLSocketFactories for each connection
java version "1.7.0_65"
Java(TM) SE Runtime Environment (build 1.7.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Darwin bmbp.local 13.3.0 Darwin Kernel Version 13.3.0: Tue Jun 3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64
(all)
A DESCRIPTION OF THE PROBLEM :
In ClientHandshaker.serverHello when it checks for the RenegotiationInfoExtension, if the extension is not found it should invalidate the ssl session so that it is not rejoinable and is not cached in serverFinished.
If invalidating the session is too heavy handed, it should keep track of the fact that the RenegotiationInfoExtension was not found and check that boolean before caching the SSL session.
// check the "renegotiation_info" extension
RenegotiationInfoExtension serverHelloRI = (RenegotiationInfoExtension)
mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
if (serverHelloRI != null) { ...}
else {
/// should invalidate session here
}
...
private void serverFinished(Finished mesg) throws IOException {
...
if (session.isRejoinable()) {
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
You need to force it to not reuse any cached sessions by building new SSLSocketFactories for each connection